Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download PDFDownload PDF 

Previous Fragment    Next Fragment
Human Services (Enhanced Service Delivery) Bill 2007

CHAIR —Good morning. Before I invite my colleagues to ask questions, does anyone have an opening statement to make?

Federal Agent Drennan —Yes, if I may. Thank you for the opportunity to make a brief opening statement on behalf of the Australian Federal Police, as the AFP has not made a written submission to the Senate inquiry. The AFP acknowledges that the introduction of the access card is designed primarily to deliver greater customer convenience and improved efficiencies within government administration. We also recognise, however, that the access card will reduce the incidence of fraud on the Commonwealth and combat criminal offences facilitated by identity crime. The access card will play an important role in combating fraud facilitated by identity crime by providing greater certainty about any one individual’s entitlement to receive Commonwealth benefits. The AFP supports the introduction of the access card as a mechanism to create a greater level of surety around a person’s entitlement to receive Commonwealth public revenue and consequently reduce the incidence of fraud against the Commonwealth.

The AFP also anticipates the access card will result in a reduction in the use of existing Commonwealth benefit cards in the facilitation of crime. For example, the current Medicare card is easy to counterfeit and reproduce owing to the absence of rudimentary security features such as a photographs, signatures and other technological protections to ensure the integrity of the card’s information and security. Operational policing experience has identified widespread exploitation of forged Medicare cards to support a range of criminal activities, notably fraud related offences. The access card will significantly reduce the opportunity for a government benefits card to be used to underpin the establishment of a false identity or theft of existing identity.

The AFP is participating in a number of Office of Access Card working groups to provide advice on the development of the security architecture and implementation processes of the access card. The introduction of smartcard technology to the access card will mean state-of-the-art technology is applied to protect data contained on the card, to strictly control access and modification of card information and, ultimately, to counter and reduce fraudulent activity.

In relation to specific provisions of the bill, the AFP is concerned about the offence provision in clause 57, specifically making it an offence for a person to copy or record certain information from a person’s access card. The ability of law enforcement officers to copy or image an access card is a vital tool in effective and efficient conduct of investigations. Without the ability to copy information or image the card itself, intelligence analysis and investigative activity could be significantly impeded. The AFP notes that clause 57 does not apply where a person is a delegate or an authorised person. It is the AFP’s position that law enforcement staff need to be specifically precluded from this offence provision when carrying out law enforcement functions.

Thank you again for the opportunity to address you with an opening statement, and I invite questions the committee may have in relation to the bill. I should point out however that, although I will endeavour to answer as much as possible in this public forum, as you may appreciate, there may be some issues that are better dealt with in camera.

CHAIR —Thank you, Mr Drennan. Mr O’Sullivan, do you have a statement?

Mr O’Sullivan —Yes, good morning. I would be pleased to open up with some comments that may help the committee. It might be useful if I provided some context which would assist the committee to understand ASIO’s role in connection with the access card. I say that because I note from the record that some of the questions already raised by committee members relate to operational methods and capabilities and, just as my colleague from the AFP has commented, consistent with longstanding practice, I will not be able to provide specific responses to those operational matters in this particular forum.

Since 2002, the parliament has enacted specific legislation that is directed at ensuring intelligence, security and law enforcement agencies have the powers available to them to be effective in countering security threats that we face, particularly in connection with terrorism. That has happened, of course, against the background of successful attacks against Australians overseas and others in Australia that were planned, aborted or disrupted. The ultimate goal of security, intelligence and law enforcement agencies is the protection of Australia, Australians and Australian interests from harm. In the case of ASIO, those threats to security are defined in the ASIO act. That means preventing those who would seek to maim, kill or destroy the people, the values and the things that we cherish.

Operating in this environment means that ASIO’s security and intelligence investigations must remain focused on individuals, groups or organisations whose activities, background and associations are assessed to be relevant to security and who present a sufficient threat to warrant investigation by ASIO. Needless to say, ASIO operates strictly within the legislative framework put in place by this parliament. But ASIO is also subject to guidelines issued by the Attorney-General which require that any ASIO requests for access to personal information held by Commonwealth agencies must be limited to what is reasonably necessary for the purposes of approved investigations. As a matter of fact, those guidelines are available publicly, including on the ASIO website.

ASIO has a system of internal procedures and protocols which require investigations to be authorised by a senior officer or by an SES officer. I note that ASIO does not require a warrant from the Attorney-General in order to seek information from other Commonwealth agencies, but all such investigations are subject to the oversight of the Office of the Inspector-General of Intelligence and Security, and that any intrusion into the privacy of individuals must be commensurate with the assessed level of threat. ASIO draws on a range of information in conducting its investigations, including information available publicly, information provided by other Australian agencies or by international liaison partners, as well as information obtained covertly through a range of means, including under warrants issued by the Attorney-General.

Increasingly, people who are of security interest are becoming more adept at concealing their activities and their true intentions in order to avoid detection by authorities, so investigations into their activities which are relevant to security need to be done discreetly if they are to be effective. Any requirement which demanded the consent of individuals before the collection of their personal information, or required them to be advised of the purpose of the collection, or provided for access to ASIO’s records, would necessarily be completely incompatible with the discreet investigations to which I have just referred. Such requirements would alert people of security interest to the existence of covert investigations and would risk inappropriate disclosure of ASIO’s methods, capabilities and sources. It would also undermine ASIO’s domestic and international liaison relationships, since partner agencies would be likely to withhold intelligence if there were a requirement for ASIO to disclose this information to such persons of security interest.

ASIO’s requirements to obtain a range of information about people of security interest is not new, of course; it has been central to ASIO’s work since the organisation was established in 1949. I note and agree with the comments by Senator Ian Campbell to this committee on 16 February when he said:

... access by ASIO or any of the other agencies, such as the Federal Police, to information is not changed by the access card.

He went on to say:

We are not going to give them any more powers.

The use of intrusive methods of investigation inevitably raises questions about the balance between meeting national security imperatives and civil liberties. How that balance is defined at any particular moment is an issue for interpretation and debate in the first place and, most importantly, in this parliament. From ASIO’s perspective, the current balance and the framework that has been put in place are appropriate to the tasks that we have been assigned under our act. So, while I cannot go into the details about methodologies or capabilities, I can advise the committee that ASIO will not have online access to the access card register or databases; requests for information would be made to the Department of Human Services. Neither will ASIO officers be permitted to ask to see the access card of a person who is to be interviewed, consistent with the relevant clause of the human services bill.

Finally, can I just observe that section 20 of the ASIO Act places a special responsibility on me as the Director-General of security. It states:

The Director-General shall take all reasonable steps to ensure that:

(a) the work of the Organisation is limited to what is necessary for the purposes of the discharge of its functions;

ASIO has systems and procedures in place to achieve that requirement, and actively cultivates an organisational culture directed at ensuring that that occurs. That is why ASIO’s investigations will remain tightly focused, strictly controlled and fully accountable. So, to the extent I am able, I will be very pleased to answer questions from the committee.

CHAIR —Mr O’Sullivan, you just mentioned that the access card does not in effect change the access of the AFP or ASIO with respect to information. Is that really the issue, or is the issue that the access card creates some very powerful intelligence—for example, it is potentially a photographic database of every Australian? We do not have that yet, but if this proposal goes ahead we may have it. So the issue is not so much that the law changes with respect to accessing information but that the intelligence available is far more powerful. Do you see ASIO wishing to have access to that potential biometric photographic database, and on what grounds?

Mr O’Sullivan —One dilemma in coming towards that question is that it gets very close to operational details of how we proceed. The reason I think Senator Ian Campbell used that phrase in his comments to the committee on 16 February—I assume anyhow—was that he had been advised, and I believe accurately, that the resources that agencies currently have to obtain information are not increased by the existence of the access card. If the access card did not exist or does not come into existence, the same information would be sought by the agencies.

CHAIR —Sure, and I understand that. I am not saying the law is changing, but the databases that may become available will change? There will be, potentially, a biometric photographic database of all Australians, and that means that the potential power of ASIO or, indeed, the Australian Federal Police—

Mr O’Sullivan —But that assumes that you would not be able to get the information by some other means if the card did not come into existence.

CHAIR —This will make it a lot easier, Sir.

Mr O’Sullivan —Whether there is a greater degree of ease is a sort of debatable point, I think. What I just say is that, from an ASIO point of view, the range of information will not be expanded by the existence of the database.

CHAIR —But the ease with which you can obtain access to photographs of 20 million Australians will be expanded, enormously. It is just a fact.

Mr O’Sullivan —As I say, that is an assertion about an ease of methodology; it is not an assertion about the existence of the information.

CHAIR —As to the amount of fraud, in relation to the AFP the government has said on many occasions that this legislation really centres on two facts: firstly, facilitating access to welfare and, secondly, fighting fraud. I note the submission from the Department of Human Services has cited the Australian Federal Police. Let me say what DHS says in that regard:

Recently, the Australian Federal Police estimated that Medicare cards are involved in some way in more than 50 per cent of identity fraud cases. In a recent speech at a counter-terrorism summit, the Australian Federal Police Commissioner, Mick Keelty, estimated that identity fraud costs Australians between $1 billion and $4 billion annually.

How would the commissioner or the AFP come to that conclusion?

Federal Agent Drennan —Which conclusion, the extent of the fraud?

CHAIR —That identity fraud costs Australians between $1 billion and $4 billion annually. How do they arrive at that figure? I am not saying it is incorrect?

Federal Agent Drennan —Probably the first thing to say is that the reason there is a range there—

—Yes, and it is a big range: between $1 billion and $4 billion.

Federal Agent Drennan —is that it is quite difficult to quantify. But a great amount of research has been done, particularly in the private sector, which attempts to quantify it. There are experiences in relation to the extent of fraud underpinned by identity which we see. Work has been done by the Australian Institute of Criminology and a number of other bodies out there conducting research, and we rely upon the figures provided by them in an attempt to quantify it. The reason the range is so broad is that it is such a difficult thing to quantify.

CHAIR —Did the AFP give any assistance to KPMG? On the same page of the submission of the Department of Human Services, it states:

KPMG has estimated that the Government will save $3 billion over the next 10 years by introducing the access card.

Do you know whether that is based on any information provided by the AFP?

Federal Agent Drennan —Not that I am aware of.

CHAIR —Another issue that has been raised in the last two days of hearings—among many, but it is one of the more important issues—is the information on the surface of the access card. Many organisations are concerned that the government should restrict the information on the surface of the access card for privacy reasons. Currently the government is asserting that there should be a photograph on the front and the person’s name, and on the back should be a universal identifying number and a digitised signature. I should have one of the mock-up cards with me, but I have left it in my office. Nonetheless, that is the information. Would the AFP require the photograph, the signature and the universal number to be on the card? You can see why I am asking the question, can’t you? Many of the groups we have heard evidence from are saying no you should not have that because all it does is make it a de facto ID card, and the government itself in the explanatory memoranda and in much of the information we have received from government says that this is not an ID card. With that information on it, a photograph, a digitised signature and the number, it will become immediately a de facto ID card. We could solve that problem if we took off the photo, the number and the digitised signature. I need to know from you whether we must have those elements on the card for any particular reason?

Federal Agent Drennan —In the first instance, perhaps I can refer back to your previous question in relation to the extent to which the current Medicare cards are used in committing frauds, and the figure of 50 per cent is the experience that we have. When we look at our serious and more complex investigations involving identity fraud we see the figure rise up considerably, to about 70 per cent. The reason is that, first, the current card has virtually no security features that are easily recognisable or detectable by people who are presented with the card. In fact, we see that the card is easily manufactured and forms what we would call a ‘breeder document’ to establish more robust forms of identity documents. So it forms a base level.

CHAIR —Okay, so the current Medicare card is highly susceptible to fraudulent usage.

Federal Agent Drennan —Yes, and one of the reasons is that it has a name on it, a number and not much else. When you look at the way in which identify fraud is committed, it is actually about names and identities. The reason it can be perpetuated to the extent that it is is that there is not a link between the name and the actual identity of a person by some biometric feature, which is probably the more conclusive way of actually establishing that link. We see that, if there were a biometric feature on the card which directly links to the identity of the person, the card would be far less susceptible to being misused by the person who has it and would be an indirect method of establishing other forms of identity on the basis of that card. We are very much in support of the fact that it does need to include a photograph to ensure that the card is not exploited for other reasons, as the experiences we have had with the Medicare card have shown.

CHAIR —As I understand it, there will be no benefits paid unless the smart card is accessed into a reader. In other words, that will facilitate, in a sense, social welfare. It is not supposed to be used as an ID card—or at least that is an absolutely secondary or ancillary purpose. I still do not understand why there has to be a photograph on the front. There will be a photograph on the chip. That is different, and you and I would agree on that. When you put the card in, up will come a photograph of the holder. We have even heard some evidence that having a photograph on the front allows you to facilitate identity theft. Nonetheless, I have not heard any real good evidence saying why we have to have a photograph. The Fels committee did come out in favour of it eventually but they were equivocal. They were certainly against the signature and the number, as was the Privacy Commissioner, who was against all three. I have not heard any good evidence as yet as to why the photograph should be on the card. If we are just talking about facilitating access to welfare and cutting identity fraud, why do we need the photograph? And I am waiting for the evidence, but it has not hit me like a bombshell as yet, I can tell you.

Federal Agent Drennan —I take your point that when it is inserted into the reader the photograph comes up. People will use that card for the purpose of getting their services and maybe for other reasons—and as much as we can say that people will not use it for other reasons, there is all likelihood that people will; it is their card. What we are saying is that the purpose is for the delivery of their benefits and services. But we need to ensure that there is a readily recognisable link between the holder of the card and their entitlement, and photograph is that link in the absence of the reader.

CHAIR —But there is going to be a reader; no welfare will be paid without access to a reader. That is the problem with that argument. I will hear from DHS later on. Perhaps they have some stirring arguments.

Senator FORSHAW —That is the reason we had the microchip.

CHAIR —And I think we are all agreed on that. I have probably had a fair go. Senator Stott Despoja?

Senator STOTT DESPOJA —Can I just pick up on that last point? You said ‘in the absence of a reader’, and the Chair has made the point that in the case of obtaining benefits or other services you would have the reader. So what function or purpose would the card serve, apart from being an identity card, if it is not used in conjunction with a reader?

Federal Agent Drennan —I cannot speak for what people may use the card for—that is the difficulty. For instance, people use a driver’s licence. It is a licence to drive, but what else might a person use a driver’s licence for? I am trying to be practical here—

CHAIR —I understand that.

Federal Agent Drennan —A card will be issued for a specific purpose. The card belongs to an individual. What I want to ensure is that, from a law enforcement perspective, we minimise the opportunity for the use of that card to be exploited by any person for any particular reason other than what it has been issued for.

Senator STOTT DESPOJA —Thank you for addressing some of the specifics of the legislation. Can we go for a bit of a walk through section 57—you brought it up—and the issue of authorised person? Can you outline for the committee your concerns? My understanding is that in sections 5 and 72 of the bill you get a definition of what an authorised person is. Are you suggesting that the criteria for an authorised person are insufficient for law enforcement purposes? My understanding from your comments was that you were nervous or worried that AFP involved in copying a document might be in trouble because they were not authorised people or may not have the requisite permission.

Federal Agent Drennan —Yes, it gets back to the operational activity that we may be involved in. There may be instances where we need to record details of a card. We would need to leave the card with the individual to ensure that services are available to them. But if there needs to be some inquiry made in relation to that person’s possession of the card, or some activity which may have been conducted with that card that is the subject of a criminal investigation, then we would need to take some details of that. My understanding of the bill is that if we were to do that without being authorised then we would be committing an offence against that provision.

Senator STOTT DESPOJA —Just on the practical side, apart from the function in terms of being in a position to photocopy the card in the first place, would you not be covered by section 72, where it says:

72 Authorisations by the Secretary

(1) The Secretary may, in writing, appoint:

(c) an individual prescribed by the regulations;

to be an authorised person for the purposes of a specified provision 2 of this Act in which the expression “authorised person” occurs.

Is that not sufficient for your purposes? The reason I bring that up is because yesterday we had evidence about section 57 from the Acting Privacy Commissioner in Victoria which actually presented the opposite view, and that was that these provisions and the definition of authorised person was so broad ranging that it invited a number of privacy concerns and potential privacy breaches. What makes you think that you would not be covered by that or that that is insufficient for your purposes?

Ms Hanks —Section 72 would give us the scope to be an authorised officer, but our concern is that when we spoke with DHS it was not confirmed that we would be under that power. We were just concerned that section 57 would still apply to us and that our operational needs might mean that we need to be able to copy a card or copy details at certain times. We wanted to raise section 57 as a concern because we were not sure that the authorisations by the secretary would cover the Australian Federal Police.

Senator STOTT DESPOJA —Let us find out what your solution is for dealing with that. Is that to enshrine in the legislation a definition of authorised person that includes the AFP, or is it more broad ranging than that?

Ms Hanks —Yes, that could be a solution. We would have to consult further with the Attorney-General’s Department and DHS on this issue, but that looks like a solution that would work for us.

Senator STOTT DESPOJA —This gets me back to the point about functionality or role and responsibilities. That would make it very clear that the AFP would have a role or, indeed, arguably, an exemption in this legislation when it came to copying documents or accessing information. How does that sit with the submission that you have given us this morning and the evidence that we have had from the department that you would not necessarily directly access information? I know that that was relating to the register, but you are actually talking now about access to the card and what you could do with it. Are you talking about access to the register and the information on that?

Federal Agent Drennan —I am not too sure that that is what we said this morning. Our access to information is very similar to that which Mr O’Sullivan talked about. He said that it is for the legitimate purposes of our role and function. We rely very much on the Privacy Act and the privacy principles, in that where there are legitimate reasons for other agencies to disclose that information to us then they can do so. That is what we rely upon for the gathering of information. I am not professing here that our ability to copy a card would be translated into a carte blanche ability to do whatever we like with cards. It would be for our legitimate law enforcement purposes. Again, if there were to be an amendment to that to provide us with the ability to copy the card, then it would be only allowed in the execution of our duty.

Senator STOTT DESPOJA —Can you perhaps explain what the execution of your duty might be in practice? Might you want to copy the card if someone is caught trying to put a card through a reader inappropriately or if someone is drink driving? The AFP role is slightly different, but I am just trying to work out in what circumstances would the card need to be copied or accessed for whatever reason by you.

Federal Agent Drennan —There may be a number of reasons. In relation to a criminal investigation it may well be that the person’s card has been used and they say that it was used unlawfully but not by them. In short, we would need the details of that to conduct the investigation. It may well be that we find a number of cards at a location and there is doubt in relation to the person’s authorisation to have them, so we might need to take records of them to check on the validity of them or the validity of those people having access to them. It may well be as with the Privacy Act now where there are threats to life or in disaster situations. A very good example is probably with the London bombings, where they took the details off a whole range of identifying documents that people had from the scene of the bombings and they used them to try to identify those people who were victims. Without an exemption there, it would be unlawful for us to actually record the details of the cards of people who were victims. There are a range of reasons, but it falls very much in that broad category for us to perform our functions.

Senator STOTT DESPOJA —I suspect we are going to have to chase this up with A-G’s because I think there is a strong argument that the Privacy Act covers you, but I can see your point in relation to section 57. But I suspect some of my colleagues might want to chase up some of those other issues, so are you willing to take questions on notice, specifically in relation to fraud figures?

Federal Agent Drennan —Yes.

Senator STOTT DESPOJA —Before I give other people a go, do you have a comment on sections 45 and 46, which deal with offences? In particular, do you think they are practical? Do you envisage that they would be enforced and enforceable? I am wondering if the AFP budget has been suitably increased to deal with the possible prosecutions that may result as a consequence of people breaching this legislation if it becomes law.

Federal Agent Drennan —Matters which are referred to the AFP are obviously dealt with under what we call our case categorisation privatisation model, CCPM. That deals with a range of factors but essentially it deals with the seriousness of the offence, the impact upon the referring agency, the impact upon the community and, in matters where there is a monetary value, what the monetary value may be. It would be on a case-by-case basis whether or not the AFP would be involved in the investigation. What we do with some agencies—and I think Centrelink is involved here—is that we agree to do a number of investigations during the year and they have a say in the selection of what those cases may be. Without saying yes or no to whether we would investigate it, there is a framework around which we do accept matters for investigation or, alternatively, we provide advice to the referring department on how they may deal with the matter. Again, there is a range of agencies which have their own investigative capability as well.

Senator STOTT DESPOJA —I am not exactly sure which agency I should go to first if someone orders me to produce my access card and I say, ‘I don’t have to; I am taking you to the law.’ I am not sure who is going to be responsible, but we had evidence yesterday suggesting that that kind of prosecution may not necessarily be either a priority or easy to prosecute. I guess we will wait and see.

Federal Agent Drennan —Again, we rely there on the Commonwealth Fraud Control Guidelines which stipulate that matters which are of a serious and complex nature would be referred to the AFP. But they also make provision for other agencies to do their own investigations there.

Senator FIFIELD —Mr O’Sullivan, you said earlier that there would not be any new information available to ASIO as a result of the creation of the access card. I think that is broadly what you said. The chair asked whether it would indeed be easier for ASIO to obtain information, and you said that, while it may well be, that was sort of beside the point. Accepting that, whether it is hard or easy for you, you can still get access to the information and no additional information is available to you. In relation to the photographs, however, there would be millions of Australians who do not currently have any photographic record of themselves held by a Commonwealth agency. There are people who have passport photographs, there would be ADF personnel with photographic ID, there would be a number of Commonwealth employees with photographic ID, but apart from those sorts of categories another class of person who would have a photographic record held by the Commonwealth does not immediately come to mind. Just in relation to your comment that there would not be any new information available to ASIO, would it not be true that there would be millions of Australians who would have a photographic record held by the Commonwealth government for the very first time and that that would indeed be a source of new information for you?

Mr O’Sullivan —That could be true but, as I tried to make clear in my opening statement, we come at the issue from the other end of the spectrum, as it were. We start off from very defined functions under our act and under the guidelines that we are issued by the Attorney-General and under internal protocols that we develop pursuant to those guidelines to ensure that, where ASIO investigates people, there is a credible and defendable basis and, as I said to you, a fully accountable basis to the IGIS about why we are doing what we are doing. In that case, if we have such credible information and we have such specific authorisations and we have complied with those guidelines and protocols, we can then investigate people. The way we carry out those investigations, as I said, is difficult to discuss freely in an open session like this. Nevertheless, it is the case, as you suppose, that on some occasions a photograph would be of assistance. But, to come to your question, it may be true that millions of Australians do not currently have any photographic record that is easily or directly available to the Commonwealth government, but that is not to say that there would not be other ways of obtaining a photograph of them if they were within the category that I have just described. The reason I was having difficulty with your earlier question and your question now is that you are asking me to give you an answer, or to explore an area of hypothesis, and it is a bit difficult because the nature and procedures that we follow do not suppose that we will have a photographic record of 20 million Australians. If you did have that record, I do not dispute that there could be cases where it could be easier, but there could also be cases where it would be just as easy to get it from other sources that I somewhat cryptically described in my opening statement. I think the point that you are bearing on is not an easy question to answer in a straight-up yes or no fashion.

Senator FIFIELD —I appreciate that, but I am just coming to your statement that there would be no additional information available about Australians to ASIO as a result of the creation of the access card. I am just putting that I think that that does probably need to be slightly qualified, that there would indeed be at least additional photographic records of Australians who previously did not have a photographic record with the Commonwealth potentially available to ASIO.

Mr O’Sullivan —That is true as you describe it in those terms, but what I was trying to say to you is that it could be that such photographic records exist in other contexts which would be just as easily accessible to ASIO—

Senator FIFIELD —There might be driver’s licences or—

Mr O’Sullivan —That is right.

Senator FIFIELD —I am not passing a comment as to whether that is a good or a bad thing; it is just important to have that on the record. Does ASIO think the creation of an access card is a good thing or a bad thing, or is ASIO agnostic in this regard?

Mr O’Sullivan —I think the answer is that in a formal, legal sense it is not an issue for ASIO to advise the government on whether or not it should have an access card or not or—to take up the point that was raised by the chairman earlier on and by Senator Stott Despoja too, I think—whether there should be, say, a national identity card, for argument’s sake. That is not an issue for ASIO. The only additional comment that might be of any use to the committee is to say, however, that from an ASIO perspective there would be a benefit in a broader national sense in having the highest possible achievement of identity security as was achievable compatible with other national goods such as civil liberty balances and so on; that it is a national debit if we have very high levels of fraud and if we have very low confidence in the degree of identity security that exists in this country. Although it is not really strictly an ASIO issue, my broader sense as director-general of security is that the highest degree of confidence that we can achieve, compatible with the other balances that the committee has to consider, is a desirable outcome, and moving towards that outcome is a good thing for the nation.

Senator FIFIELD —Thank you.

Senator FORSHAW —I wanted to follow up on the issue raised by the Chair and Senator Fifield, but I will make one comment first. There was a reference by Federal Agent Peter Drennan to a photo licence. I think that is applicable across the country; across all states and territories the licence has a photo. I would make the point that the purpose is different. A driver’s licence is immediate recognition for the officer when the person is engaging in the activity of driving. You can argue that is why there is a need to have a photo on the licence. The Chair has raised the issue about whether one is needed on the access card. I am having some difficulty following this logic. If there are no additional powers for ASIO and the AFP—powers that they do not already have—and there are no potential new sources of information available, only that they might be more readily accessible, how can the statement be made that this card will significantly reduce fraud?

A figure of $1 billion to $4 billion has been bandied about. I can understand the argument about its impact on fraud—that is, if you bring data together and put a chip on the card you have a much more up-to-date method of checking than currently exists with the Medicare card. But I do not see how one can argue that an access card that has a photo and a signature on it, in addition to the information on the chip, is going to be such a significant improvement that we will substantially reduce fraud on the Commonwealth. Can you give me some more information as to why you think it will? It has been put that a large amount of the fraud that exists, say, in Medicare is not through identity fraud; it is actually through overservicing and so on.

Federal Agent Drennan —The figure quoted in quantifying fraud was about identity fraud as a whole and not just in relation to fraud on any government agencies as a result of false or assumed identities.

Senator FORSHAW —That does not necessarily help your argument. I appreciate your point, and I am sorry if I misunderstood you earlier. This card is not supposed to be available to other than Commonwealth agencies.

Federal Agent Drennan —It replaces the current Medicare card, which we see is exploited considerably, in relation to assisting in establishing identities and, in many cases, fictitious identities. If you remove that card from the equation, you have a replacement card that is far more robust in its technology to ensure that it is not misused through someone else using/manufacturing them or whatever other crimes people might commit. That is where it will assist considerably in reducing the impact of identity fraud.

Senator FORSHAW —Let me put this to you. If I was sitting over there, I could argue that you can achieve that objective by revamping the Medicare Card on its own and doing the same with any of the other cards that might need to be updated. Medicare seems to be the one that most people focus on here, as distinct from Veterans’ cards or others; Medicare has a universal application. I still end up in the same dilemma. I understand it is not a policy position—and it is not your decision as to why this policy has been implemented—but you could achieve the same objective without limiting and perhaps enhancing the ability of ASIO or the AFP to investigate these things by rolling out a streamlined modern-day technologically suitable Medicare Card without a photo.

Federal Agent Drennan —We would rely upon our experience, and very much from the law enforcement perspective. Identity crime manifests itself where there is the ability to obtain documents and use documents that do not have a direct link to the actual holder of the document or they have an absence of technological features, which makes it difficult for people to manufacture or misuse that card. We are trying to put forward our experiences in the identity crime arena. We have a dedicated team in Sydney, which has been working now for three years, specifically in relation to identity crime. We now have teams in Perth, Melbourne and Brisbane, and we very much see that it is not an ad hoc thing in relation to people using false identities or assumed identities to commit crime; it is organised. A whole range of people and significant expertise are involved in this. From the perspective of trying to ensure that government services are delivered to the right person and opportunities for people to exploit a card permitting access to services are minimised, the more robust its security features can be, the better.

Senator FORSHAW —Will this card be more advanced than what is available now with a passport? I am speaking in a technological sense here.

Federal Agent Drennan —I am sorry, but that is not my area of expertise. I know there are a number of security features. Obviously the more security features that can be used in combination, then the more robust is the security of a particular document.

Senator NETTLE —I have a number of questions. I will start with one comment that we have heard a couple of times during the inquiry. There is concern amongst the community that a central database, which is proposed as a part of this, would be like a honey pot for people who are seeking to engage in some form of identity theft or identity fraud. Is that an area that either of the two organisations is concerned about?

Federal Agent Drennan —Sorry, your concern is?

Senator NETTLE —We have had a submission to this inquiry saying that, given this legislation proposes to create for the first time a database with biometric photos but with a range of other personal information about people, this is like creating a honey pot for people who want to engage in identity theft or crime; hackers or whoever will try to get in to access that information. The information is sensitive personal information, and one imagines it could be used to assist people to engage in identity fraud. Is that a concern that either of your two organisations has?

Federal Agent Drennan —We have had discussions with Human Services and it would be best to direct this question to them. They are the ones setting up the database and the security features around it. They have not raised those concerns with us in the discussions that we have had in the various working groups. My understanding is that is not a concern to that extent.

Senator NETTLE —They have not raised that issue with you. Are you aware of the AFP raising that issue or concern with them?

Federal Agent Drennan —I would really need to take some advice on that. I do not have that with me.

Senator NETTLE —That is fine. I notice in the department’s submission that AFP and ASIO are listed among the groups consulted with. I have some idea of this from Senate estimates for the AFP, but can you outline your involvement to date in the development of the access card? I am also interested in what you envisage as your ongoing involvement with the access card?

Mr O’Sullivan —From ASIO’s point of view, the answer to your question is partly the comments I made in my statement. But at a more technical level the answer to your question is that there has been a Commonwealth Reference Group on Identity Security. I note you are having evidence from the chairman of that group later today. If I understand it correctly, that consists of 31 Australian government agencies, and was formed to ensure that across-government initiatives at a Commonwealth level were aligned in their approaches. ASIO has been a participant in that process.

Senator NETTLE —That process and the other—

Mr O’Sullivan —I do not know whether the chairman intends to continue that group after the access card becomes available.

Senator NETTLE —Is that the only avenue that ASIO has had an involvement in?

Mr O’Sullivan —Yes, in respect of the access card, that is my understanding. I will check on it, but I do not think there is any other.

Senator NETTLE —I just thought I would ask, because you are on the list of people they have consulted with. I do not know whether there is any more information from the AFP about your involvement other than some that you have provided already in the past.

Federal Agent Drennan —We have participated in the legal working group, the security working group and the implementation working group with the Department of Human Services. We have also had a number of additional meetings with the Department of Human Services on specific law enforcement and security issues. We were consulted on the legislation prior to its exposure and we were also consulted on the government’s submission to this Senate inquiry in relation to the access card. We have had some ongoing discussions and involvement with the Department of Human Services in relation to the access card.

Senator NETTLE —Mr O’Sullivan, you mentioned in your earlier comments the requirements in terms of ASIO’s access to information held by the Commonwealth. I thank you for the reference to the guidelines on your website. You indicated that ASIO did not need a warrant to access it. Can you elaborate on that? From the estimates Hansard that you were referring to, there seems to be a discrepancy in terms of the response from the Department of Human Services?

Mr O’Sullivan —I think you are right. Yes, I think there was a discrepancy. If I have been advised correctly, the legal position is that because of the provisions of both the ASIO Act 1979 and then the exemption provisions located in the Privacy Act 1988, ASIO does not require a warrant. Some of the comments at one stage before the estimates committee may not have accurately reflected that position.

CHAIR —You would not need a warrant to have access to the photographic database?

Mr O’Sullivan —That would be correct; as we do not need a warrant—

CHAIR —I am glad that is on the record. I wonder if people know that.

Mr O’Sullivan —I do not know what people know or do not know.

CHAIR —That is on the record.

Senator NETTLE —In terms of the evidence that we received previously, perhaps I will read it out for you.

Mr O’Sullivan —If you would, please.

Senator NETTLE —At estimates on 16 February, the Secretary to the Department of Human Services stated:

The Australian Federal Police will be required to have a search warrant to access the database.

She went on to state:

But if they are responding to a threat to life, a threat to injury, an investigation of missing persons, a disaster victim identification or an emergency response then clearly in those circumstances we would be trying to facilitate their faster access.

I took from that she was saying that normally there would be a search warrant but in those circumstances not. Is that your understanding of what kind of access you would have to the database as well?

Federal Agent Drennan —As I said before, we would rely very much on what is outlined in the Privacy Act and the information privacy principles as to the basis on which agencies can disclose information to us for our purposes. The Secretary to the Department of Human Services was accurate there except that there is an additional one concerning the enforcement of criminal law. Principle 11(1)(e) states:

… disclosure is reasonably necessary for the enforcement of the criminal law or enforcement of a law imposing a pecuniary penalty, and protection of public revenue.

CHAIR —To have access to this photographic database would you need a warrant?

Federal Agent Drennan —It would depend on the nature of what it was for.

CHAIR —Can you give me some examples?

Federal Agent Drennan —If we were seeking evidence to put before the court there is a likelihood that we would proceed with a search warrant. It is a bit difficult, because the bill is still a bill and it does not cover off on those aspects. In the current situation, with Centrelink and Medicare we rely upon the provisions in the privacy principles and also the act. There are occasions when we need to use search warrants as well. Without having specific legislation and what it says and does not say, there are a range of reasons why we would need to have access, as outlined there, and it would depend on those circumstances as to what method we would use to get that.

CHAIR —It would not need to be a national security issue to have access to a national biometric photographic database? You would have access to that even if the matter were not a matter of national security, would you not?

Federal Agent Drennan —If there were a specific purpose. It is not just that, if we had a whim, we could have a look there.

CHAIR —I understand that.

Federal Agent Drennan —The roles, functions and the enforcement of the criminal law are what we would be relying upon.

CHAIR —But you would not need a warrant, would you?

Federal Agent Drennan —Again, it depends on what purpose it is for.

CHAIR —It would not need to be a matter of national security, would it?

Federal Agent Drennan —The national security would be a matter for—

CHAIR —Would it need to be a major crime?

Federal Agent Drennan —Again, it depends on why we needed it. If there were a major crime and someone’s life was at threat, we certainly would not be going down the road of a search warrant.

CHAIR —The committee will investigate what the precise powers are. I think we will have to dilate on this.

Senator NETTLE —To assist with my understanding of the circumstances, there is an APEC conference coming up in Sydney. One imagines that protest activity would be part of such events wherever they occur. Perhaps I should use a more generic example. Would you require a warrant in those sorts of instances to access the database?

Federal Agent Drennan —Because it is hypothetical, I am not sure what offence we might be investigating and what the circumstances are or whether we are seeking evidence in relation to a prosecution. It is quite difficult to be specific and say yes or no in relation to that.

Senator NETTLE —In terms of guidance for the committee in understanding that, the wording that we have from the Department of Human Services is:

… if they are responding to a threat to life, a threat to injury, … missing persons, disaster identification or emergency response …

Does that provide us with an accurate essence of the sorts of instances where the AFP would not require a warrant? That is what we are working on so far in answer to that question. I wanted to check with you if we are on the right path in understanding that?

Federal Agent Drennan —Yes. However, the other aspect is in relation to the enforcement of the criminal law.

Senator NETTLE —Principle 11 in the Privacy Act?

Federal Agent Drennan —Exactly.

Senator NETTLE —Principle 11 talks about a criminal law investigation. That would be any investigation. The principle is:

… disclosure is required or authorised under the law.

And then:

… disclosure is reasonably necessary for the enforcement of the criminal law.

That exemption in the Privacy Act is not specific to instances where there may be threat to life, threat to injury or the definition we have been given already. If you are working off an assumption that your access is determined by the Privacy Act, my reading of the Privacy Act is that you are exempt from the Privacy Act in any criminal investigation. Tell me if I am reading it wrong, but that is my understanding.

Federal Agent Drennan —Firstly, as I understand it, the access provisions of the bill have not been finalised, so we are hypothesising to that degree. The privacy principles are circumstances in which information can be disclosed. The onus reverses there; we can make requests in relation to those matters, and the department to whom we are making the request considers against the privacy principles whether or not they will disclose information to us.

Senator NETTLE —You mentioned earlier the issue around clause 57 of the bill and your concerns there.

Federal Agent Drennan —Yes.

Senator NETTLE —The committee has had drawn to it on a number of occasions that within the legislation there is an exemption from Crown prosecution of Commonwealth and state officers. Is it your understanding that that exemption from prosecution would apply to both of your organisations? Perhaps you are not in a position to answer this—and I can ask somebody else—but because it is Commonwealth and state and territory officers I would imagine state police as well would be exempt from any prosecutions proposed in this bill. Is that your understanding of the Crown exemption in this bill?

Ms Hanks —What section is that?

Senator NETTLE —I will just try to find it. I do not have it in front of me.

CHAIR —You continue, Senator Lundy, and we will come back to Senator Nettle.

Senator LUNDY —Yesterday in Melbourne we heard evidence from the Electronic Frontiers association about the prospect of tracking the use of the card. The scenario was that every time someone used their access card, whether to claim concessions or any of the private uses that people may have installed on their card in the future, that would be able to be tracked. The evidence went along the lines that the audit log of use could either be stored on the card itself or on the central database and updated whenever it was used with the appropriate software. Does the AFP or ASIO have any view or knowledge about the tracking capability of the central database or the technology underpinning the access card, and is that something that you have considered in your activities in enforcing the law?

Federal Agent Drennan —I am not aware of the evidence given yesterday and what that revolved around. Likewise, I do not have the technical knowledge in relation to the capabilities of the system. That is probably best directed towards the Department of Human Services. I assume they would have that knowledge.

Senator LUNDY —One of the problems with this inquiry is that there is not a lot of detail about the technical operation of the software and the hardware and how it all interacts. Perhaps I can ask Mr O’Sullivan: does that tracking technology have particular relevance to your organisation and would you be seeking that capability within this system to help you do your job?

Mr O’Sullivan —I would have to take some technical advice but, as I said in my opening statement, one of the things that is already clear is that ASIO would not have direct access to the databases that underpin this card if they come into existence. I suppose, since we would not have that direct access, any so-called tracking capability would probably not be relevant, but I would need to get some technical advice on that.

Senator LUNDY —The other issue is the powers that exist with respect to the telecommunications system. We are not aware of the communications between the various parts of the computer network; the telecommunications system may well be used for transferring data or the bit stream of information relating to this card. Are you able to advise this committee whether ASIO is communicating with the Department of Human Services about that kind of surveillance or tracking of the card’s use via the telecommunications system, where you do have extensive powers?

Mr O’Sullivan —I am not aware of that, but I would repeat the point I made earlier on. If there were legitimate reasons from a national security/counter-terrorism point of view that required us to try to obtain that information, we would do so and we would have done so at any point in the past irrespective of whether this particular card comes into existence. I do not have any reason to believe that the proposition that the existence of this card somehow increases those things has any validity. I will check and get technical advice on it, but the answer broadly to your question is that that is not the case.

Senator LUNDY —I know that my colleagues have asked this in different ways; I will have a go as well. As an organisation, to what extent are you able to insert yourself in the discussion of the design of the technology that is going to deliver this system, both in the construct of the database and how it is connected across the country?

Mr O’Sullivan —As I said in answer to an earlier question, we were part of the 31 Commonwealth agencies who participated in the reference group and, as I said, the chairman of that group is coming to speak to you later today so you will be able to get a more precise understanding from him. My understanding at this point is that there has not been any ASIO consideration of the particular technologies and that those matters are all matters that are before the Department of Human Services. We have not had any particular input into the choices that they make.

Senator LUNDY —We are going to have some sort of communication with DSD on their role in authorising the security aspects of the system, but what liaison do you have directly with Defence Signals Directorate in their role in determining and setting the parameters for the levels of security applying to this system’s architecture?

Mr O’Sullivan —That is a broader question about Commonwealth security issues. The answer is that we have a very extensive interaction with DSD about how secure systems for the Commonwealth—and, more generally, if states and territories follow Commonwealth guidelines—are established. An ongoing function of ASIO is to be a substantial contributor to the formation of Commonwealth standards on security. One of our statutory functions is to provide guidance to the Commonwealth community generally about the observation of security requirements. In the particular case that you mentioned, we have a constant interaction with DSD to ensure that the standards are maintained in view of evolving technology and so on.

Senator LUNDY —We heard evidence from CSC—Computer Sciences Corporation—which acknowledged they were tendering and could not say too much about the tender process. One thing we did ascertain in evidence from them and others is that the security features of whatever system wins the successful tender will not be assessed until after that decision has been made on who gets the job. That implies that these things will not be fully resolved until after a tender is in place. Can you tell the committee if both ASIO and DSD’s roles in determining the levels of security and the quality of security can still be applied effectively even if the contract has already been let? The Commonwealth, at least in my observation, has left that open to a degree. I am not saying that it would remain open, because there is clearly a procedure there. But it has been left open as far as the contract requirements go.

Mr O’Sullivan —I do not have any particular knowledge of those administrative arrangements, but they would be implemented by the Department of Human Services. If the card comes into being, for implementing those databases and the development of the software there would be a generic requirement to comply with Commonwealth security standards.

Senator LUNDY —There was some discussion before about the levels of fraud with respect to Medicare cards per se. Are you able to advise the committee on the degree to which the databases that currently support the Medicare card, for example, the HIC computer databases and other participating agency databases, come under attack from hacking and so on? I am not really talking about the human issues of human errors and crimes but really the technological crimes in hacking. I am aware of the ISIDRAS reporting system, which rates different attempts to hack at different levels or different security breaches. My question is: can you provide the committee with information on the number of attacks that have occurred on participating agencies databases and to what ISIDRAS level those attacks have been rated?

Federal Agent Drennan —The short answer is no. I would qualify that on the basis that attacks on the databases of those agencies would not necessarily be referred to the AFP. They may well be, and we would provide assistance or advice either through ourselves or through the Australian High Tech Crime Centre, which is hosted by the AFP and provides significant support to other agencies in that sphere of technological attack. The High Tech Crime Centre sits within my functional responsibilities. I am not aware of any significant attacks on agency databases that have occurred from a criminal perspective. There may have been attacks of which the agencies have not advised us, but I would be surprised if that were the case. Obviously, those agencies would be able to provide the definitive response there.

Senator LUNDY —I will certainly be pursuing it with them. There was a Joint Committee of Public Accounts and Audit inquiry into the integrity of Commonwealth information. It did make a recommendation that the AFP ought to be advised of all significant attacks of a certain level or higher. That recommendation was accepted by government, so I would be really concerned if the AFP were not being notified as a matter of course of any level of attack on these systems.

Federal Agent Drennan —As I said, it would come to the AFP either directly or through the High Tech Crime Centre. I am not aware of any, so all I can take from that is that there has not been a significant one that has been reported to the AFP.

Senator LUNDY —It would be helpful if you could take that on notice and go back to the High Tech Crime Centre and ask them if they have got any statistical analysis of attacks on the agencies involved with the access card.

Federal Agent Drennan —Certainly.

CHAIR —Do you have some more questions, Senator Nettle?

Senator NETTLE —Yes, Chair. I will probably ask if I can put some on notice because we are limited as to time. I refer to the Crown immunity clause in part 1, division 5, section 9 of the bill. It is about the act binding the Crown. The second part of it says that the act ‘does not make the Crown liable to be prosecuted for an offence’. I want to ask you about that because your comments previously about section 57 seemed to imply that you thought that the AFP could be caught by that. I want to ask both agencies—and I think this is pretty clear—if you understand that, as officers of the Crown, you would not be liable to be prosecuted under that offence.

Ms Hanks —We would have to take advice on that because from previous consultations with Human Services we could not receive any certainty that the section 57 offence would not apply unless we were clearly authorised under section 72. We would need to take advice on whether that would exactly exempt us from the section 57 offence.

Senator NETTLE —I would appreciate it if you could let us know about that. Mr O’Sullivan, do you have anything to add in relation to that?

Mr O’Sullivan —My legal advice is that ASIO is exempt from the application of the Privacy Act.

Senator NETTLE —I accept that absolutely. My question relates to the exemption in this bill for Crown agencies. Presumably that would apply to ASIO as a Crown agency?

Mr O’Sullivan —Yes.

Senator NETTLE —We were having some discussion before about data matching. This is a tricky one as to working out how exactly to ask the question, because you were being asked about the database and what possibilities that opened up. Perhaps one way I could ask the question is this: could both of your agencies provide for us, on notice or now, an indication of how often you currently access the Department of Human Services or Centrelink information?

Mr O’Sullivan —This is a question that I thought someone from the committee might ask me. I am not able to answer that sort of question. Even if we had data in that specific sense, that gets too close, from my point of view, to revealing the way we operate.

CHAIR —I understand that.

Mr O’Sullivan —I cannot divulge that.

Senator NETTLE —Yes, I have been trying to find a way here. We were going through a discussion before about what opportunities this database opens up. Your answer to us was that you can already do all of this and another comment that we have heard is that this makes it easier. I am trying to assess that. That is why I am asking the question.

Mr O’Sullivan —I understand your line of questioning. That is partly why I put into my opening statement those comments about the overview and oversight mechanisms to which we are subjected and why I referred to the fact that there is a very narrowly defined basis for our activities. We have procedures and protocols in place that I alluded to and guidelines which are available publicly to specify how we have to operate legally, lawfully. I cannot go into the answer directly to your question about numbers or the precise degree of access, but what I am trying to do is answer the question by pointing towards the way in which the system monitors the activities of its secure intelligence organisation.

Senator NETTLE —Which is that you can already data match?

Mr O’Sullivan —I did not say that but you might infer that.

Senator NETTLE —Sorry?

Mr O’Sullivan —The answer is that obviously we can already access data from a whole range of sources and, as I have said, the creation of this particular database does not affect that current arrangement.

Senator NETTLE —Is there anything from the AFP on that point?

Federal Agent Drennan —I do not have those details with me. I would need to take that on notice.

Senator NETTLE —Mr O’Sullivan, in answer to a previous question you talked about the idea—and I have never claimed that you have access to this database—of how you can access the information. In the department’s submission to this committee, they talked about all the transactions involving the card being logged. Your answer before was that, given you do not have access to the database, you could not track. That statement ignores the fact that actually all the transactions involving the card are logged and that, given your comments that you have already made about your ability to have access to that information, you could.

Mr O’Sullivan —There are two separate points. I thought that I understood your question correctly. One issue is: under the provisions of the current bill if it were passed, would ASIO have direct access online to the information? The answer is no.

Senator NETTLE —That is right.

Mr O’Sullivan —Would ASIO be able to seek information that is in the database in the way that it can seek information that is not currently in that particular database but which is in other databases? The answer is yes.

Senator NETTLE —My corollary, and this perhaps does not even involve you, is that, given that all the transactions involving the card are going to be logged and in that database, that answers the question about whether or not you would have access to that. But you have already answered that question. I do have some more questions but I am prepared to put those on notice if you are both happy to take those questions.

CHAIR —Please do, Senator. Federal Agent Drennan, before I refer back to Senator Lundy for questions, I refer to a question that I asked earlier that I now ask you to take on notice. Can the AFP provide to the committee details of the research organisations and their research leading to the commissioner’s statement that identity theft in Australia costs between $1 billion and $4 billion annually?

Federal Agent Drennan —We will, Chair.

Senator NETTLE —One of mine questions on notice relates to that, because there was a statement, in a media release issued by the Attorney-General and the minister for customs last week, saying $1 billion, and we have another one from them earlier saying $1 billion as well. I will provide those references to you to assist you in providing that answer to us on notice.

Federal Agent Drennan —That is why I qualified it earlier, saying it is difficult to quantify. That is why there is a range, as opposed to specifics.

CHAIR —I do understand that. It is more for our report. We need that research, in a sense.

Senator NETTLE —Federal Agent Drennan, so what you are saying is that your definition of identity fraud includes the under-age teenager who is trying to get into a nightclub. I am trying to work this out. If you are talking $4 billion, the teenager getting into the nightclub with a fake ID is not costing the Commonwealth any money. I accept what you are saying—that you can have a big definition of identity fraud that includes the teenager getting into the nightclub—but I will put on notice those questions about how that adds to the $4 billion, because it does not seem to cost the Commonwealth anything if under-age kids go drinking in nightclubs.

Federal Agent Drennan —It may in a health sense.

CHAIR —We will go to Senator Lundy.

Senator LUNDY —Apropos of the concern about the facial recognition technology deployed in Customs, does the AFP or ASIO have a comment about the veracity or quality of biometric photographs as a way of identifying people quite specifically, or do your organisations have views that another form of biometric identification would be more effective for serving the purposes of preventing crimes?

Federal Agent Drennan —That is an area where there is particular expertise in relation to the technology surrounding facial recognition software. Certainly I am not qualified to answer to the extent of that. I know that is an area where the technology and accuracy are developing quite rapidly.

Senator LUNDY —Do you know what the current percentage of accuracy is?

Federal Agent Drennan —No, I could not tell you that.

Senator LUNDY —Can you, Mr O’Sullivan?

Mr O’Sullivan —No, I do not have any technical information to answer that question, but I understand there is an answer to your question. I assume that the people who assemble the technology can bring it to you, but it is not an ASIO issue.

Senator LUNDY —Do you have a view on which is the best? Obviously DNA sampling would be the best, but that is not particularly practical for an access card. Is there a rating of biometric testing that you can refer to that shows what is the best?

Mr O’Sullivan —My understanding of the question is that it is partly a question of what you want to buy and how much you are prepared to pay. It is just a question for consideration. I think it is the case that if you multiply features you get higher degrees of confidence. If you are satisfied with whatever degree of confidence that biometrics brings you then that is fine, but if you are not satisfied with that then you can think about other things that you want to do to increase your degree of confidence. Then there is the question of what costs of various kind—monetary and intrusiveness—you are prepared to pay for it. I do not have a technical answer to your question. But the broader point that I made before was that the higher the degree of confidence that you have in identity security, the greater the validity of the system that you construct.

Senator LUNDY —Thank you for that comment. Can I ask the AFP the same question and can you offer any insights along a similar vein?

Federal Agent Drennan —We would very much agree with what Mr O’Sullivan said and would add that law enforcement has relied upon fingerprints for many years. They are a very accurate form of identification. However, when you weigh that up, similarly to your comment in relation to DNA, the practicalities of people having their fingerprints recorded is one which would probably have similar aspects to DNA. The position that we take is that there are a number of biometric identifiers and there is continuing development and research in relation to those. Those biometric identifiers which have been used for longer periods of time and where there has been more research are probably more accurate. Again, I would need to qualify that, but that is the extent of my knowledge.

Senator LUNDY —Do you use biometric photographs as part of your kit of systems of identification of alleged criminals? Do you have that capability within your suite of technologies currently?

Federal Agent Drennan —We are starting to get into an area of operational issues that I would not want to go to in a public forum.

Senator LUNDY —I will take that as a yes, but I take your point. I should say that is a reasonable question given that we are now talking about the deployment of a biometric photograph system. I think it is important for the public record to know whether the police have the capability of identifying people using biometric photos, so I will ask you again whether you have that capability.

Federal Agent Drennan —As you said, facial recognition software is used by Customs in conjunction with passports. Customs and the Department of Foreign Affairs and Trade could probably make some comment in relation to their experiences with that. It would answer your question to say that that technology in relation to facial recognition is available to us. It is a tool which is effective in combating identity crime. The point that I made very early on today was that, when we are talking about false identities, names do not actually mean anything, because that is exactly what is being manufactured or taken over. It is the ability to be able to link a name to an identifier of a particular person that is the greatest tool in combating identity crime.

Senator LUNDY —Thank you.

CHAIR —Hence the problem with the Medicare card. You have just got a name and number and there is nothing else. Senator Nettle, do you have a quick question?

Senator NETTLE —Mr O’Sullivan, you indicated that ASIO is exempt from the Privacy Act. Is that under principle 11 of the Privacy Act or is that somewhere else that I am missing?

Mr O’Sullivan —I do not have the act in front of me. I will get you advice on that.

Senator NETTLE —Thank you.

CHAIR —Senator Stott Despoja, do you have anything further?

Senator STOTT DESPOJA —I will put mine on notice to save time.

CHAIR —Thank you very much for your assistance this morning.

[10.43 am]